Jump to content

Influx of spam?!


Recommended Posts

I've been receiving more and more spam in my [at]spamcop.net email account lately... Just last night I received over 114 spam messages. This is nuts. Can anyone explain why these are not getting blocked.

hi OverSeer!

If you think through your question carefully you'll realise that you really haven't provided much information to help anyone offer anything other than generic answers. You'll need to tell us about how you've configured your SpamCop Email account (which block lists you've selected, whether you use grey-listing, what your SpamAssassin levels are). You'll need to tell us how mailo reaches your Sc account (Does it receive Email forwarded from another Email address and if so, is that a so called catch-all Email address).

In fact there are so many considerations that nobody can much more than guess at reasons without more information.

If you've reported these items then send a few tracking links and that may give some extra clues.

FWIW I got my typical half dozen spams to report when I last checked in. But that is a meaningless figure unless you also know how I have configured my account. (I use grey-listing, have spam Assassin set at 4 and have used SpamCop Blacklist, Spamhaus Blacklist, China (the country), Nigeria, Argentina, Brazil, Spamhaus XBL.)

Andrew

Edited by agsteele
Link to comment
Share on other sites

I've been receiving more and more spam in my [at]spamcop.net email account lately... Just last night I received over 114 spam messages. This is nuts. Can anyone explain why these are not getting blocked.

Check the headers of the spam and it will tell you why each message got though... often, a sudden increase means that you recently whitelisted your own address.

Link to comment
Share on other sites

I too am seeing a significant number of what should be spam mail get into my inbox. My spam detection rates have plummeted in the past week from approximately 99.999999% (ie, one or two escapees making it to my inbox every week) to dozens that get through daily..

I estimate my current detection rate is between 66% and 75%.

I am just using the spamcop.net bl list, and have a SpamAssassin threshold of 5. All of these escapee messages have SpamAssassin scores under 5.

Here are some sample reports:

http://www.spamcop.net/sc?id=z2787948062zd...3eb290fbf5e15bz

http://www.spamcop.net/sc?id=z2787949137z9...9bfda269c47c1fz

http://www.spamcop.net/sc?id=z2787949407z4...2cd121d6e42842z

http://www.spamcop.net/sc?id=z2787948557z2...ee943f63f1804bz

In the last 12 hours, I've had 38 messages get through that should have been caught, out of 53 total messages.

This may be the future of spam that Overseer and I are experiencing. And it doesn't look good.

AndrewB

Link to comment
Share on other sites

I am just using the spamcop.net bl list, and have a SpamAssassin threshold of 5. All of these escapee messages have SpamAssassin scores under 5.

All of the samples you linked to *should* have been caught in your Held folder, in that they were all blocked due to SCBL listings, and yet you seem to be saying that they made it to your inbox? Please clarify. BTW, I lowered my SA threshhold from 5 to 4 years ago, as 5 seemed to allow too many false negatives.

I've been receiving more and more spam in my [at]spamcop.net email account lately... Just last night I received over 114 spam messages. This is nuts. Can anyone explain why these are not getting blocked.

I'd agree with those who are suggesting you check your personal whitelist and make sure your address is NOT there. The only other time you posted here (about a year and a half ago), you had your own address whitelisted:

http://forum.spamcop.net/forums/index.php?showtopic=8753

We advised you to change that back then, but you never responded to any of us. Also, one of the reasons that you're receiving spam at your SC address is that it's posted publicly in various forums around the web, where spambots can harvest it (just did a Google search and saw about 25 hits). I generally advise people to keep their email address *off* of websites if at all possible.

DT

Link to comment
Share on other sites

<snip>

I am just using the spamcop.net bl list, and have a SpamAssassin threshold of 5. All of these escapee messages have SpamAssassin scores under 5.

<snip>

All of the samples you linked to *should* have been caught in your Held folder, in that they were all blocked due to SCBL listings, and yet you seem to be saying that they made it to your inbox? Please clarify.

<snip>

Hi, AndrewB,

...You didn't mention if you checked the idea posted by StevenUnderwood, above. 70692[/snapback]

Link to comment
Share on other sites

I'd agree with those who are suggesting you check your personal whitelist and make sure your address is NOT there. The only other time you posted here (about a year and a half ago), you had your own address whitelisted:

While possible, there should also be a header that indicates that action was taken that is missing from these messages. I have submitted a problem ticket to try and get someone to look at this.

Link to comment
Share on other sites

While possible, there should also be a header that indicates that action was taken that is missing from these messages.

But wait....are we sure that the sample messages Andrew linked to got whitelisted? I just checked my own mailbox and the whitelisting status header is working just fine.

DT

Link to comment
Share on other sites

All of the samples you linked to *should* have been caught in your Held folder, in that they were all blocked due to SCBL listings, and yet you seem to be saying that they made it to your inbox? Please clarify. BTW, I lowered my SA threshhold from 5 to 4 years ago, as 5 seemed to allow too many false negatives.

Correct - the 4 reports I linked to above are samples of messages that made it to my inbox. I have more, but they are all similar in nature - one to three SpamAssassin rules triggered, scores < 5, and very short messages, some in HTML, with a link to another site.

My personal address is NOT on my whitelist or greylist - not an issue for me.

...You didn't mention if you checked the idea posted by StevenUnderwood, above. 70692[/snapback]

As you can see in the reports that I offered URLs to, SteveUnderwood's comments don't directly apply to me. The reports do not indicate why it got through, other than the low SpamAssissin score. Unless I'm missing something.

AndrewB

Link to comment
Share on other sites

<snip>

My personal address is NOT on my whitelist or greylist - not an issue for me.

AndrewB

As you can see in the reports that I offered URLs to, SteveUnderwood's comments don't directly apply to me.

<snip>

...Okay, thanks. You can either wait to hear whether StevenUnderwood's trouble report 70698[/snapback] gets a reply or you could ask the SpamCop Deputies yourself by writing to deputies[at]admin.spamcop.net.
Link to comment
Share on other sites

I've neither whitelisted my own address nor have I changed anything since I've started my service many many years ago... Yet, within the past few weeks, I've been inundated with more and more spam.

Also, be that as it may, just because my email address happens to be out there at some sites, shouldn't the purpose of my [at]spamcop.net address be that it BLOCKS spam. It used to work just fine, as I mentioned up until about 2 weeks ago...

And the reason I never responded about removing my name as a whitelist was because after I did it, there wasn't an issue so no need to respond. That was some time ago and my maturity in such matters has changed. I tend to leave responses, either positive or negative, now-a-days.

Edited by OverSeer
Link to comment
Share on other sites

Correct - the 4 reports I linked to above are samples of messages that made it to my inbox.

That doesn't make sense, Andrew, because each of them had a "Disposition" line indicating that the message was indeed blocked due to the source IP address being on the SCBL. Therefore, the next assumption is that in the Filtering Blacklists section of your Spamcop Options, the "SpamCop Blacklist" option is not currently selected. That would explain why those messages are not being held.

Please log into the webmail and look into this possibility in the "options."

DT

Link to comment
Share on other sites

That doesn't make sense, Andrew, because each of them had a "Disposition" line indicating that the message was indeed blocked due to the source IP address being on the SCBL. Therefore, the next assumption is that in the Filtering Blacklists section of your Spamcop Options, the "SpamCop Blacklist" option is not currently selected. That would explain why those messages are not being held.

Please log into the webmail and look into this possibility in the "options."

Ooof! You are right! Darn. I'm deluged with a lot of spam with the similar subject lines. I'll post some of the ones that got through after a more careful review process. Here are a few that got into my Inbox that I processed today:

http://www.spamcop.net/sc?id=z2788952117zc...f98e706c3b1c7fz

http://www.spamcop.net/sc?id=z2788925558zb...66ac99f0a51535z

http://www.spamcop.net/sc?id=z2788856046z6...18859a131c9605z

http://www.spamcop.net/sc?id=z2788818021z1...4c8c5cf27c60c7z

http://www.spamcop.net/sc?id=z2788817982z1...aa00f276586b9cz

http://www.spamcop.net/sc?id=z2788573740za...bef0941aeae624z

http://www.spamcop.net/sc?id=z2788573749z5...d69c0d64bd06e2z

http://www.spamcop.net/sc?id=z2788573762z5...b205f803ddea85z

Sorry about the wild goose chase. There is now a real goose behind these

And I did double check my SpamCop tools settings. Things are as I expect: SpamAssassin at 5, and the SpamCop blacklist is the only one checked.

AndrewB

Link to comment
Share on other sites

Ooof! You are right!

What am I right about? That the previous examples were actually from your Held folder, perhaps? The new examples are all ones that were not on the SCBL, and therefore don't have a "Disposition" header line. BTW...I'd recommend using more than just the SCBL in your Blacklists options.

DT

Link to comment
Share on other sites

What am I right about? That the previous examples were actually from your Held folder, perhaps? The new examples are all ones that were not on the SCBL, and therefore don't have a "Disposition" header line. BTW...I'd recommend using more than just the SCBL in your Blacklists options.

Yes, they were from properly held email, but the new examples were not and escaped into my inbox.

So what are the recommended blacklists to configure? And why isn't SpamCop's the best? :)

AndrewB

Link to comment
Share on other sites

<snip>

So what are the recommended blacklists to configure? And why isn't SpamCop's the best? :)

...There is some guidance in SpamCop Forum thread "How We Use SpamCop, Detailed Examples."

...Which BL is "best" is kind of in the "eye of the beholder" -- whichever works best for you is best. I think DT's suggestion was not meant to imply that SpamCop BL is not "best" but rather that more than one is better than just the one. Right, DT?

Link to comment
Share on other sites

I think DT's suggestion was not meant to imply that SpamCop BL is not "best" but rather that more than one is better than just the one. Right, DT?

I'm often frustrated by what's *not* on the SCBL, in that even though a dozen of us have submitted live samples from a given source, the source isn't listed. Most of the SCBL listings seem to come from spamtrap hits...at least that's how it seems to me. So I'm not saying what's good, bad, or better....they're just different.

As for the BLs, I'd suggest selecting ALL of them, unless you have a specific need for communications from one of the countries in the country-specific lists (sorry, Nigeria, but I'm not going to do what it takes to block you). If you do, you can always whitelist specific senders.

Using all of the BLs, in addition to a lowered SA threshhold, can keep more spam from reaching your inbox.

DT

Link to comment
Share on other sites

Well, I don't know if something else has changed somewhere but I definitely have less spam since my OP this morning (only one made it into my Inbox)... Regardless I did take the suggestion of selecting all the BLs and lowering my ranking to 5... Thanks for all the help guys!!

Edited by OverSeer
Link to comment
Share on other sites

As for the BLs, I'd suggest selecting ALL of them, unless you have a specific need for communications from one of the countries in the country-specific lists (sorry, Nigeria, but I'm not going to do what it takes to block you). If you do, you can always whitelist specific senders.

Using all of the BLs, in addition to a lowered SA threshhold, can keep more spam from reaching your inbox.

Ok, thanks for your advice. I too have enabled all of the blacklists. And after 1.5 hours of inactivity, I have not had any escapee spam mail into my inbox.

I'll see how this goes overnight though - that's when the bulk usually appears. Or at least it feels that way when I see my held mail in the morning.

Andrew

Link to comment
Share on other sites

Ok, thanks for your advice. I too have enabled all of the blacklists. And after 1.5 hours of inactivity, I have not had any escapee spam mail into my inbox.

Unless you have a great desire to see all the spam in your held folder, I'd recommend grey-listing in addition.

Andrew

Link to comment
Share on other sites

Unless you have a great desire to see all the spam in your held folder, I'd recommend grey-listing in addition.

Oh, yes, any of you who have people send directly to your SC address should strongly consider turning on the greylisting. It's done in the "Manage your email forwarding, password, mail report, and greylist settings" option category.

I don't use it because I never give out my spamcop address. I have mail forwarded from other addresses, and use the "popgate" function to collect mail from several other sources (although popping from Yahoo has been broken for quite some time).

DT

Link to comment
Share on other sites

I'll see how this goes overnight though - that's when the bulk usually appears. Or at least it feels that way when I see my held mail in the morning.

Although one day's results can't always claim success, I had about 80 spam mails properly held overnight, and one got through. That's acceptable for me at this time.

The cbl.abuseat.org blacklist seems to properly detect what SpamAssassin and SpamCop's blacklist miss, based upon my cursory glance of the disposition result in the Held Email webpage.

AndrewB

Link to comment
Share on other sites

Although one day's results can't always claim success, I had about 80 spam mails properly held overnight, and one got through. That's acceptable for me at this time.

Very good. Don't forget about the greylisting option, however, because if these are messages being sent directly to your SC email address, greylisting will probably nuke most of the junk before you ever see it.

DT

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...